Conformity and Interoperability Key Prerequisites for Security of eid documents. Holger Funke, 27 th April 2017, ID4Africa Windhoek

Similar documents
Whitepaper: GlobalTester Prove IS

Verifying emrtd Security Controls

The epassport: What s Next?

LDS2 Concept and Overview: Exploring Possibilities in Travel Border Clearance

This paper focuses on the issue of increased biometric content. We have also published a paper on inspection systems.

CONFORMITY TESTING OF EAC INSPECTION SYSTEMS

EU Passport Specification

2 Electronic Passports and Identity Cards

Test Report. For the participants of the SDW InterOp Final Report, secunet Security Networks AG

Legal Regulations and Vulnerability Analysis

The EAC for MRTD. 26 January 2010

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

Future Expansion for emrtd PKI Mark Joynes, Entrust

Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010

Security of Biometric Passports ECE 646 Fall Team Members : Aniruddha Harish Divya Chinthalapuri Premdeep Varada

ID Security Made in Germany Holistic Solutions for Biometric Systems and Identity Documents

3D Face Project. Overview. Paul Welti. Sagem Défense Sécurité Technical coordinator. ! Background. ! Objectives. ! Workpackages

Biometric Passport from a Security Perspective

Company profile secunet Security Networks AG

Overview of cryptovision's eid Product Offering. Presentation & Demo

BSI TR Part 1.1 A framework for Official Electronic ID Document conformity tests

eid Consulting References

This document is a preview generated by EVS

eidas Standardisation What are the Issues and Concerns? Overview from CEN TC 224 WG 16 ESIGN Gisela Meister

The New Seventh Edition of Doc Barry J. Kefauver Nairobi, Kenya November 2015

Introduction of the Seventh Edition of Doc 9303

Document reader Regula 70X4M

Test plan for eid and esign compliant smart card readers with integrated EACv2

MACHINE READABLE TRAVEL DOCUMENTS

Roadmap for Implementation of New Specifications for MRTDs

cryptovision s Government Solutions Adam Ross, Ben Drisch cryptovision GmbH

Market Trends and Veridos solutions for epassports & ID Documents

Common Criteria Protection Profile

German eid based on Extended Access Control v2

STATUS: For NP ballot for development as a Type 2 Technical Report.

The German IT Security Certification Scheme. Joachim Weber

Security Target Lite SK e-pass V1.0

Introduction to Electronic Identity Documents

An emrtd inspection system on Android. Design, implementation and evaluation

Common Criteria Protection Profile

Face recognition for enhanced security.

secunet Security Networks AG SINA an Overview Sofia,

MULTIAPP V2 PACE - SAC PUBLIC SECURITY TARGET

Certification Report

Experiences of w S itz w e itz rland

How To Secure Electronic Passports. Marc Witteman & Harko Robroch Riscure 02/07/07 - Session Code: IAM-201

An Overview of Electronic Passport Security Features

BSI-CC-PP for

Certification Report. EAL 4+ (ALC_DVS.2) Evaluation of TÜBİTAK BİLGEM UEKAE. AKİS v1.4i PASAPORT

Hash-based Encryption Algorithm to Protect Biometric Data in e-passport

Chip Authentication for E-Passports: PACE with Chip Authentication Mapping v2

Security Target Lite for CEITEC epassport Module CTC21001 with EAC

Intelligent Solutions for the Highest IT Security Requirements

An Overview of Electronic Passport Security Features

Understanding modern security controllers. - which chip do you need for your identity document?

Interview with Fernando Podio Chair of ISO/IEC JTC 1 SC 37 Subcommittee on Biometrics

A National Public Key Directory

Interagency Advisory Board Meeting Agenda, February 2, 2009

eidas Regulation in the context of Cybersecurity: Electronic seals and website certificates: Two sides of a (gold) medal?

Der elektronische Personalausweis Mehr oder weniger Sicherheit?

Electronic passports

Intelligent Solutions for the most Rigorous IT Security Requirements

Giesecke+Devrient. Company Presentation

Assessments Audits CERTIFICATION

Strategies for the Implementation of PIV I Secure Identity Credentials

MACHINE READABLE TRAVEL DOCUMENTS

ISO/IEC INTERNATIONAL STANDARD. Identification cards Machine readable travel documents Part 3: Machine readable official travel documents

Beyond the Border: A Shared Vision for Perimeter Security and Economic Competitiveness

Technology Advances in Authentication. Mohamed Lazzouni, SVP & CTO

The European Union approach to Biometrics

Security Mechanisms and Access Control Infrastructure for e-passports and General Purpose e-documents

ISO/IEC INTERNATIONAL STANDARD

VALIDATING E-PASSPORTS AT THE BORDER: THE ROLE OF THE PKD R RAJESHKUMAR CHIEF EXECUTIVE AUCTORIZIUM PTE LTD

SPass NX V1.0 on S3CT9KW/S3CT9KC/S3CT9K9 Certification Report

SECURITY TARGET LITE FOR IDEAL PASS V2.0.1 EAC WITH PACE APPLICATION

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Biometric information protection

TWIC Transportation Worker Identification Credential. Overview

This document is a preview generated by EVS

ETSI - European CA-Day. November 29th 2012 I Dr. Kim Nguyen, Chief Scientist Security, Managing Director D-Trust

Security Mechanism of Electronic Passports. Petr ŠTURC Coesys Research and Development

XSmart e-passport V1.2

Past & Future Issues in Smartcard Industry

Probably the best PKI in the world

Security Target Bundesdruckerei Document Application

Security Target Lite for CEITEC epassport Module CTC21001 with BAC

TECHNICAL ADVISORY GROUP ON MACHINE READABLE TRAVEL DOCUMENTS (TAG/MRTD)

ISO/IEC INTERNATIONAL STANDARD. Information technology Biometric data interchange formats Part 4: Finger image data

Security Target Lite

E-PASSPORT SCHEME USING AUTHENTICATION PROTOCOLS ALONG WITH FACE, FINGERPRINT, PALMPRINT AND IRIS BIOMETRICS

ICAS Workshop 3rd October 2005 Single European Sky Implementation Plan - SESAME

Machine Authentication of MRTDs for Public Sector Applications

Biometrics & Smart Cards In Use Today

Common Criteria Protection Profile. Machine Readable Travel Document using Standard Inspection Procedure with PACE (PACE PP)

September OID: Public Document

Your Trusted Partner in Europe European Business Reliance Centre

Common Criteria Protection Profile. Machine Readable Travel Document with ICAO Application, Extended Access Control BSI-CC-PP-0056

Thirteenth Symposium on the ICAO Traveller Identification Programme

White Paper Implementing mobile electronic identity

DAkkS Who we are. Attesting competence, Assuring quality, Creating confidence.

Technical Guideline TR eid-client Part 2: Conformance Test Specification. Version 1.3

Transcription:

Conformity and Interoperability Key Prerequisites for Security of eid documents Holger Funke, 27 th April 2017, ID4Africa Windhoek

Agenda 1. About secunet Security Networks AG 2. Timeline of interoperability for eid documents 3. Requirements and technical guidelines 4. Interoperability as a result of conformity 5. Conclusion Page 2

Headline Facts & figures 1 column layout for heavy text content Customer-orientated corporate culture secunet Security Networks AG Layout without bottom line More than 430 employees at ten sites in Germany Founded in 1997 Listed as prime standard on the German Stock Exchange Largest shareholder (79%): Giesecke & Devrient GmbH 2016 turnover: 115.7m, 2016 EBIT: 13.7m.* (*preliminary results) Page 3

secunet stands for Trust IT security partner of the Federal Republic of Germany In-depth customer understanding Protection of confidential customer data and infrastructures Partner of the Alliance for Cyber Security Experience Almost 20 years in the market Outstanding expert knowledge and understanding of cryptographic processes Long-term customer relationships National and international project references Premium IT Security Made in Germany Internationalism Highest EU and NATO approvals Collaboration in international committees International project awards Innovation Forward-looking, wide-ranging developments for complex tasks Tailored security through customised solutions Broad product and consultation portfolio Page 4

Business Unit Homeland Security Facts In order to protect our society from terrorism and crime, the unique identification of persons must be ensured. Security authorities must be able to securely exchange sensitive data over the Internet. secunet s role Protecting the communication of security authorities Secure solutions for the enrolment and processing of biometric data Conformity testing solutions for eid documents and readers Mobile, stationary and automated border control systems Solutions for the electronic processing of classified documents Page 5

Agenda 1. About secunet Security Networks AG 2. Timeline of interoperability for eid documents 3. Requirements and technical guidelines 4. Interoperability as a result of conformity 5. Conclusion Page 6

Some basics regarding epassports An electronic passport contains a chip with encrypted biographic and biometric data of the holder and also cryptographic information An integrated chip increases the security of the document The International Civil Aviation Organization (ICAO) sets and manages the framework for issuing and managing passports (e.g. Doc 9303) Additional specifications for datapage, physical security features, background systems Chip can be separated in several layers according to ISO / OSI layer model: Layer 7: Data, Logical Data Structure (LDS) Layer 6: Protocols and Cryptography Focus in this presentation Layer 4: Transport (Transmission protocol) Layer 3: Network (Initialisation protocol) Layer 2: Link (Hardware) Layer 1: Pysical (Hardware) Page 7

Which information can be stored in an epassport? Page 8

Milestones of eid documents (chip) Basic Access Control (BAC) Facial Image Passive Authentication (PA) N-PKD for CSCA certs PACE as a supplement for BAC Better entropy of keys Better protection against Skimming Eavesdropping Mobile ID Deviated ID Mobile Phone 2005 2008 2015 2017 201? Extended Access Control (EAC) Fingerprints Bi-lateral agreements between countries to read fingerprints Public Key Infrastructure (CVCA certs) Mutual authentication between reader and chip Terminal Authentication Chip Authentication eidas LDS 2.0 Restricted Identification (RI) Enhanced Role Authentication (ERA) Pseudonymous Signatures Entry / exit stamps Electronic Visa Additional biometrics Page 9

Complexity of eid protocols BAC BAC + EAC Version 1 (BAC) + EAC Version 1 + PACE (BAC) + EAC Version 1 + PACE+ EAC Version 2 (BAC) + EAC Version 1 + PACE + EAC Version 2 + eidas + LDS 2 Page 10

Agenda 1. About secunet Security Networks AG 2. Timeline of interoperability for eid documents 3. Requirements and technical guidelines 4. Interoperability as a result of conformity 5. Conclusion Page 11

Test Specifications to assure Interoperability epassports and inspection systems must be conform to the following test specifications: BSI TR-03105 Part 3.2 emrtd with EACv1 Part 3.3 emrtd with EACv2 (Part 3.4 esign for ID card) BSI TR-03105 Part 5.1 Inspection systems with EACv1 Part 5.2 Reader with EACv2 (Part 5.3 Terminal software for ID card reader) ICAO Technical Guidelines Part 3: emrtd with EACv1 and PACE Part 4: Inspection systems with EACv1 and PACE Page 12

Structure of Test Specifications Components of Test Specification Description of general test requirements Test setup / Testing environment Definition of suitable test profiles / implementation profiles Implementation Conformance Statement (ICS) Definition of testing or configuration data Definition of test cases according to a unified data structure Each test case should concentrate on a single feature to be tested! Structure of Test Case Test case ID: unique identifier for each test case Purpose: objective of the test case Version: current version of this test case independent from the test specification Reference: where is this feature / behaviour specified Preconditions: setup of test case Test scenario: description of test case, step by step and corresponding expected result Postconditions: setdown of test case Page 13

Official Interoperability Tests Since 2003 interoperability tests for epassports were performed to assure international interoperability Crossover tests in combination with conformity tests Crossover tests: Every epassport is tested with every inspection system Conformity tests: Every epassport is tested against the test specification Benefits of conformity testing: Less efforts (crossover test can only be handled with a low number of devices to test) Every feature of an epassport or inspection system can be tested separately Detailed failure analysis allows to improve the stability of the whole emrtd eco system Results help not only to improve the stability of epassports and inspection systems but also to improve the quality of (test) specifications and test tools Page 14

Results and Experience of last Interoperability Tests Madrid 2014 (ICAO) Focus on PACE Companies and countries took part in the test 10 inspection systems, 3 test labs 52 completely different epassports were tested Detailed results: http://blog.protocolbench.org/2014/07/results-sac-interoperability-test-madrid-2014/ London 2016 (Security Document World) Focus on PACE and PACE-CAM 17 document provides, 27 epassports, 12 inspection systems, 2 test labs Inspection system were tested in crossover tests epassports were additionally tested against subset of ICAO test specification 8502 test cases were performed, 98% passed Detailed results: http://blog.protocolbench.org/2016/05/results-emrtd-interoperability-test-2016/ Next InteropTest: End of September at Joint Research Center (JRC) in Italy organised by the European Commission and performed by JRC with focus on PACE! Page 15

Check Interoperability with tools automatically Golden Reader Tool (GRT) Reference implementation for epassports with biometric data Reads the data stored on the ICAO compliant chip and displays them GlobalTester (GT) For conformity tests of eid documents and inspection systems Support of all relevant protocols in context of eid documents (PACE, TA, CA etc.) Used at several interoperability tests worldwide since 2006 Customers: chip vendors, application vendors, national security printers, test labs Detailed test report -> certification Page 16

Agenda 1. About secunet Security Networks AG 2. Timeline of interoperability for eid documents 3. Requirements and technical guidelines 4. Interoperability as a result of conformity 5. Conclusion Page 17

One Result of Interoperability: Automated Border Control egates: Automated border control increases security: Spend less time for standard tasks More time for analysing critical epassports Source: blog.protocolbench.org Page 18

Example for Automated Border Control: EasyPASS Travellers 2015 * 2016 * Overall Entry (Germany) 39.9 40.9 Overall Exit (Germany) 39.4 40.4 EasyPass Users 9.1 12.1 Frankfurt Airport (overall) 25.5 24.9 Part of EasyPASS (Frankfurt) 18.0% 25.0% * In million users, Source: Federal Police Page 19

Agenda 1. About secunet Security Networks AG 2. Timeline of interoperability for eid documents 3. Requirements and technical guidelines 4. Interoperability as a result of conformity 5. Conclusion Page 20

Conclusion Interoperability of eid documents is the result of conformity testing easily and automatically testable by using internationally established tools Security of eid documents is achieved by interoperability. key functionality for world-wide travelling the key element for automatic border control Page 21

Holger Funke Principal - Division Homeland Security secunet Security Networks AG Hauptstr. 35 33178 Borchen Germany Phone +49 201 5454-3865 Fax +49 201 5454-1324 holger.funke@secunet.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback